DESIGNING AND IMPLEMENTING A WORLD CLASS RISK AND CONTROLS MONITORING FUNCTION

Transcription

1 DRAFT FOR DISCUSSION PURPOSES ONLY DESIGNING AND IMPLEMENTING A WORLD CLASS RISK AND CONTROLS MONITORING FUNCTION Presented to New York IIA-ISACA NY Metro Chapters October 26, 2012 Ray Purcell (Pfizer) and David Hodgson (Deloitte & Touche LLP)

2 The world s premier biopharmaceutical company. We make medicines and vaccines that help people and animals when they are sick and prevent them from getting sick in the first place

3 Pfizer Today $67 BILLION revenue in 2011 manufacturing sites worldwide countries in which Pfizer sells products #1 Primary Care, Specialty Care and Animal Health businesses worldwide MORE THAN 100,000 colleagues around the globe - 3 -

4 Governance Model: The Four Lines of Defense Level 1 activities are part of the day to day business operations. Finance One has been impacting and addressing Level 1 activities via processfocused workshops and recommendations over the past several months. Examples: Performing account reconciliations Documenting results Governance Board ELT FLT Corp. Oversight Corporate Audit Independent Risk-based Pan-Pfizer Risk Identification/Monitoring Pan-Pfizer Strategic Link for Risk Monitoring & Escalation Identification of Trends and Opportunities First Line Quality At the Source Continuous Assessment Quality Control Transaction Processing Level 3 activities are performed independently and periodically by Pfizer Corporate Audit. One Audit initiative focused on improving the efficiency and effectiveness of Level 3 activities. Level 2 activities are ongoing risk, compliance and control monitoring activities. Examples: Monitoring key metrics (e.g., # of account reconciliations performed) Identifying trends across markets/plants 1-4 -

5 GRCC Project Overview and Anticipated Benefits GRCC Project Overview Improve the effectiveness of oversight and monitoring of internal controls and regulatory compliance activities across Pfizer through: 1. Establishing a Compliance Center of Excellence (CoE) to enable consistency of interpretation and execution of regulatory compliance activities and to provide clarity of ownership 2. A redesign of Level 2 monitoring for in scope activities to enable a proactive risk based approach and monitoring of key risk areas. Scope would include: a. Centralized top level risk assessment b. Monitoring of the following in scope activities: a. FCPA / Healthcare compliance b. Internal Controls over Financial Reporting (SOX) GRCC Anticipated Benefits Benefits Enhanced accountability, consistency and transparency related to compliance activities Greater alignment of market compliance and control efforts with Pfizer s overall risk assessment Reduced burden on the business through centralized approach to strategy and planning, deployment of consistent methodologies, and streamlining of processes / sharing of leading practices across markets Reduced risk exposure due to greater transparency into risks, issues and trends across the business on a continuous basis (enhanced enterprise-wide view) Enhanced accountability and clear path for risk and issue escalation - 5 -

6 GRCC Model Development Approach Inputs GRCC Functional Model GRCC Operating Model Baseline Data Current State Assessment Site Visits Scope ICOFR/SOX FCPA/HCC ITGC Controller FCPA/GPIHP/Global Vet COE Canada/DM Europe GRCC Leader AfME/EM Europe Management Risk Committee ICOFR/SOX COE Asia/Latin America BTQ&C Leader Compliance COE CQ ACTIVITIES TAXONOMY Governance & Oversight Policies & Procedures Risk Identification & Assessment Risk & Compliance Management Monitoring Reporting & Escalation Communication & Training Governance and Oversight GRCC Methodology / CQ Approach / Reporting Deep Dives Markets Local Leadership Risk Adjusted View of Locations (IA Risk Assessment) Defined GRCC Activities for ICOFR/SOX, FCPA/GPIHP/GV Organization / Market Redesign and Optimization / Change and Communications Industry Experience Governance Framework and Committees Organizational Design & Headcount Roles and Responsibilities Job Descriptions Enabling Technology Implementation Strategy Implementation Roadmap Workforce Plan Communications & Training Plan - 6 -

7 Summary of the Key GRCC Roles Process View Process Governance & Oversight Policies & Standards Risk Identification, Assessment & Measurement Risk & Compliance Management Key GRCC Activities Develop common definitions, framework and risk appetite For FCPA and HCC, leverage framework and risk appetite established by Corporate Compliance Interpret policies, identify key control requirements and drive development of guidance related to areas in scope Identify new/changed ICOFR laws and regulations and develop ICOFR related policies Design the risk and control self-assessment ( RCSA ) methodology and approach Lead, coordinate and facilitate the RCSA process and review results Recommend continuous improvement of controls through automation and streamlining and oversee remediation of gaps in high risk areas Provide guidance on the development of action plans related to high risk areas Risk & Compliance Monitoring Design effective ongoing monitoring approaches Perform risk based monitoring (analytics, metrics, select sample testing, etc.) Risk & Compliance Reporting & Escalation Report key risk, compliance and control information to key stakeholders based on their needs. Develop escalation protocols and escalate issues up Communication & Training Develop overall training plans, review or facilitate development of local training using a risk based approach - 7 -

8 Implementation and Monitoring Strategy and Planning Oversight Updated GRCC Functional Model and Key Functional Responsibilities VP/Controller Management Risk Committee Oversight and sets tone at the top Critical issue escalation GRCC Leader **BT Q&C Leader Set mission, goals, and guiding principles for GRCC Communicate key activities, trends and results Risk-based resource allocation Coordination with other risk groups (e.g. Corporate Audit ( CA ), Compliance) Healthcare Law Compliance/ FCPA COE Americas Regional Leader Europe Regional Leader Asia Regional Leader ICOFR/SOX COE AfME Regional Leader *Markets/Plants (i.e., Emerging Markets, Developed Markets, GFS) Compliance COE * Detailed deployment strategy for Geography and Market/BU GRCC resources will be determined during detailed implementation planning ** Outside of the GRCC Function **Local Leadership Interpret new or changing regulations for the risk area Lead the risk assessment process for the risk area Determine control requirements based on risk profile Determine governance framework and approach for monitoring Aggregate monitoring results and generate consolidated reporting Focal point of contact to business unit leaders for unique issues Deploy methodologies, tools and training to the markets Evaluate results of monitoring activities for risks, issues and trends Identify emerging or changing risks in the geography Communicate with FDs, Controllers, business, CA, etc. (e.g., implementation/monitoring, changes in business strategy, etc.) Regionally located, business unit agnostic Perform monitoring activities at the market level Coordinate with market/site/plant level regarding design and implementation of controls to address risk In market point of contact for CA Identify emerging or changing risks in the market Market/regionally located, business unit agnostic Risk based deployment of resources - 8 -

9 Corporate Audit GRCC Governance Framework and Connection with the Business The goal of the GRCC functional model is to provide a pan-pfizer approach to managing and monitoring risks in scope. However, a strong connection to the business and appreciation of the unique nature of the business divisions/units will also be required for the success of the GRCC function. Management Risk Committee Management Risk Committee composition includes Divisional Finance Leaders and other key stakeholders Aggregation and Integration Risk, compliance and control metrics and key trends The Top Down View Risk and control appetite, risk policies, guidelines, and framework GRCC Function COE will be organized to provide divisional representation/ expertise and act as a focal point of contact to the business GRCC will work in close collaboration with Controllers, Legal, Compliance and BT Q&C Data Collection Risk and control metric inputs Operational View Practices and procedures, guidance on risk mitigation, facilitation of risk assessment Markets, Plants and Corporate Functions (e.g. Corporate BT, Finance, GFS, Business Divisions) Front line ownership and accountability for risks and controls reside in this group - 9 -

10 Standardization of the CCR Role: In-Scope Processes and Activities Of the activities listed below, we estimate that a majority (upwards of 90%) are currently being performed by RAMs (CCRs) at some degree, although inconsistent across Pfizer. Additionally, certain compliance activities may be currently performed by other Finance colleagues (e.g., Trend Analysis) in some markets. Provided below is an approximate percentage of time CCRs would allocate to each specific process depending the on market. Governance (Less than 1%) Provide input on the strategy for financial reporting and FCPA/GPIHP/ GV risk management, compliance quality activities and reporting Policies and Procedures (Less than 5%) Provide in market support, guidance, and consultation to ensure process and internal control changes are documented in local SOPs; streamline and harmonize local policies; work with BPOs/Legal to develop and maintain a central repository for local SOPs; maintain a change management process for local SOPs Risk Identification, Measurement and Assessment (Less than 5%) Execute and coordinate annual ICOFR and FCPA/GPIHP risk assessment; consult on design and maintenance of a standard methodology by GRCC leadership to identify and prioritize existing and emerging ICOFR and FCPA/GPIHP/GV risks and controls Risk and Compliance Management ( ~ 25% to 30% depending on market) Provide local consultation and support with guidance on controls, best practices; document ICOFR RCMs using guidance provided by GRCC Leadership and maintain baseline of controls; provide support and guidance to BPOs in the development, execution, and documentation of remedial actions for any deficiencies; responsible for preparing annual FCPA and GPIHP Trend Analysis and certification Risk and Compliance Monitoring (approximately 50% depending on market) Execute CQ monitoring activities using guidance, tools, and templates provided by GRCC Leadership including: Coordination and execution of market internal control selfassessment and certifications Coordination and execution of SOX 302 and 404 certifications Execution of analytical reviews Performing walkthroughs of key controls Performing sample based reviews in the areas of ICOFR, FCPA/GPIHP/GV, and T&E to identify control deficiencies Risk and Compliance Reporting and Escalation (Less than 5%) Report results of compliance quality activities using guidance and tools developed by GRCC Leadership; execute escalation protocols designed by GRCC Leadership for deficiencies or issues identified as a result of the execution of compliance quality activities Training (Less than ~ 5%) Facilitate development of periodic training materials related to ICOFR, FCPA/GPIHP/GV, and T&E including new hires and contractors; perform periodic training in the market on ICOFR, FCPA/GPIHP/GV, and T&E Other Compliance Activities (~ 15%) Implement and support business in roll-out of new compliance requirements and changes in policies and procedures and CoE Compliance initiatives

11 What have we learned? Some things worked well that we thought would be challenging Stronger support than expected from our Finance Directors in the field The compliance professionals in the field reacted very positively to being part of a global effort Both internal and external audit have been very supportive There were some unexpected challenges There is a constant demand for training, and deep dive training that provides detailed guidance It is difficult to do this without effective tools / technology Balancing the monitoring and advisory roles is always going to be a challenge Key lessons learned Change management matters: having a clear vision, communicating it well and constantly, and delivering the training needed to enable people to succeed in the new roles are all very important. Plan to measure and monitor your progress to make sure the change is fully and consistently implemented. Connecting the efforts of people across sixty countries requires effective tools and technology. Our work can help us to better mitigate risk while also introducing efficiencies through the application of our specialized skills and knowledge, working in collaboration with our partners in business finance. As we appraise the project at the end of the first year, it has been a success Looking ahead, the challenge of Year Two will be to move from a start-up mode to business-as-usual, from a project mode to one of sustainable and consistent processes

12 Working together for a healthier world